Password-stealing phishing attack comes disguised as a fake meeting request from the boss
I believe that most of my Office 365 cloud-based clients are now wary of the many different phishing attempts to steal login credentials via fake Microsoft login sites. Phishing emails arrive using different tactics to entice you into surrendering your information.
Some examples; you receive an email with an attached phone message, PDF attachment or a fax document. When you click on the attachment or link it takes you to either a realistic replica of the Microsoft portal or a not so realistic page that require you to log in with your Office 365 or Outlook credentials. These criminals have started including all major email services including Gmail, Yahoo, and other services on the landing page. In many cases, they have already included your email address since they know who the phishing attempt was sent to. All that is required to wreak havoc on you is your password.
If the email requires you to log in using your email and password to retrieve the document or attachment then assume it is a scam. In either case, your login information is captured and then used to generate spam or steal your personal and financial information.
This week I have assisted 2 compromised clients. Fortunately, in both cases damage was minimal. The first client alerted me quickly when she started receiving email replies and phone call from contacts regarding spam sent from her email. In this instance, the hacker did not hide his tracks and I was able to retrieve IP info and track back to Lagos, Nigeria, not like there is any retribution for the perp.
The latest attempt shows an advancement in sophistication and tactics.
It just so happened I was doing some work for the client when the email arrived. It was from the client's legit email address, but what got my interest was no address listed under the To: field.
I opened my secure browser and copied and followed the link, it took me to a fake landing page and asked for my Office 365 credentials to retrieve the document. Suspecting that the client had been compromised, I replied to the email and asked if he had sent it. I received a reply almost instantly,
Yes, I sent it. It's quite a good read and definitely the most insightful I have read on. It's something that you will be more interested in.
Thanks
I logged into the Office Portal as the Global Admin and checked the Inbox Rules for the affected account. There was a rule in place to delete all incoming emails. This is done to prevent the victim from receiving emails like mine asking if the email was sent by them. Often you will find that a forwarding email has been set up so incoming emails are sent to the hacker before deleting. In this case, there wasn't a rule for forwarding. However, I know there was a forward in place somehow since the perp was responding to my email, perhaps an autoreply with a standard message.
I was unable to reach the client by phone so after conferring with the office manager we decided it was best to change the password of the affected account. She too had received the email. When I was able to talk to the client by phone it turns out he was busy fielding calls from contacts who had received the email.
My next step was to ascertain the source of the email. This led to a new surprise. This is the first example of this I've found, there were no internet headers.
In concluding, be wary of any email with an attachment that requires your email credentials to retrieve. It is a scam.
The Dangers when surfing the Internet
Emails are not the only way a hacker can exploit your machine. Websites can be used to deliver malicious payloads to your machine that can steal your information or exploit your machine for use by the attacker.
Some popular add-ins and programs have been exploited in the past to infect computers by fake updates or exploiting security holes and weaknesses. Adobe Flash Player, Java come to mind. Popular programs for creating web pages are also attacked. WordPress due to its popularity is no exception.
https://www.zdnet.com/article/another-wordpress-commercial-plugin-gets-exploited-in-the-wild/
Macs too are always under attack. The latest Trojan: https://www.zdnet.com/article/macos-malware-disables-gatekeeper-to-deploy-malicious-payloads/
Laugh of the Day, poor Internet Explorer...
